For people that work in big companies, how do you handle system controls?

Hello, I've recently started out as an analyst for a big multinational company. This is my first experience in this kind of field and I gotta say so far it seems to be quite disheartening.

My role is to manage internal system controls over IS solutions that support the business. Mainly I dispatch these controls and, help people figuring out how to do them, there are usually pre-defined excel templates for each control, controls that can be a review of the accounts nested into a system, review of the accounts that we manage through AD to give access to a specific system, review of the payroll file security, of shared mailbox, of generic accounts, etc.

It is, however, occurring to me that in this company everyone hates to do this kind of stuff and brings no value to them it's usually only after I get their supervisor involved that they cave in and do them. If this is manageable for some controls, controls like the one about reviewing the membership and ownership of shared mailboxes usually mean having 100-150 people to get in touch with, which is both incredibly time-consuming and, inefficient. Some people just ignore your emails because they're too "high up" others need to be goaded over and over and over and of course to deliver a result you're always dependant on at least 5 people to do their part.

Right now for instance, due to an upcoming CAD we're doing a review of all people that have access to shared folders, the data preparation for this is ridiculous as it involves sorting through a 60mb excel file and create report for each departmental folder outlining the folder, its subfolders and all the AD groups that have access to it, then extract the members from each AD group and send the file over to who should perform (hopefully in time) the review.

Doesn't help that as I am new, I am having to interact with people who often have a much more intimate knowledge of the infrastructure that I have and often ask questions that I simply do not have an answer to I was wondering for people that work in a similar position, does your company have such exercises as well? Are they handled manually or are they automated? I am trying to understand if these kind of exercises are done the wrong way there or, is it like that everywhere.

Thanks for your time and have a nice day

Touch here for the full post on Network Security Noblemen tumblr

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s